Account Takeover (ATO) – A Guide for Digital Business Leaders

11th July 2017

Account Takeover (ATO)

A Guide for Digital Business Leaders

Account Takeover has been identified by the Verizon 2016 Data Breach Investigations Report as the biggest threat to web applications today and quoted as accounting for as much as 90% of login traffic by Shape Security.

Account Takeover represents a critical threat to most online business, so with this in mind we have prepared a quick guide for Digital Business Leaders. In this guide we will provide you with an overview of what it is, how it impacts your business and customers and, how you can reduce the risks to your organisation.

What is Account Takeover?

Account Takeover is a type of identity theft where a hacker uses parts of the victim’s identity, often an email address, to gain access to their shopping, banking, betting or any other account of value.  There are two predominant methods hackers use to achieve this, which have been identified by OWASP as:

  • Credential Cracking – OAT-007: Identifying valid login credentials by trying different values for usernames and/or passwords
  • Credential Stuffing – OAT-008: Mass login attempts used to verify the validity of stolen username/password pairs

Credential Cracking

Credential Cracking is where a hacker uses automated bots, operating from a cloud computing environment, to cycle through every word in the dictionary in an attempt to guess a user’s password and hijack their account. It is also known as Brute Force, Brute Force Cracking or Dictionary Brute Force if the hacker targets a specific username.

Credential Stuffing

Credential Stuffing is where hackers use automated bots to inject breached username/password pairs into targeted systems. Where a password is known for an account on one site, credential stuffing attacks exploit password reuse to attempt to log in to other sites. Credential stuffing attacks are on the rise due to the increase in stolen credentials. In 2016 there were over 3bn reported spillages of login credentials.


  • Increased numbers of failed login attempts
  • Rise in traffic on login pages
  • Complaints from users regarding locked accounts

The Impacts of Account Takeover

Account Takeover is often referred to as the fraud that keeps on paying because unlike credit card theft, where cards can be quickly cancelled, successful Account Takeovers allow hackers to go undetected for longer periods. This enables hackers to gain higher rewards or sell details on the black market at higher prices. The average UK consumer has around 118 individual accounts. Analysis of compromised credentials has shown that approximately 70% of users, with accounts across multiple sites, used the same password for each. This means that even if the integrity of a user’s account for a given site is not breached, data leaked from elsewhere may pose a lucrative opportunity for hackers to attack it.

Whether hackers have purchased goods via a compromised account, transferred funds from an online banking system or used credentials on betting platforms, there are direct costs to both businesses and account holders. What this means is, if the problem cannot be eliminated or reduced, businesses will suffer the impact of these costs on a more frequent basis – even if the customer’s credentials have been breached from other websites and reused.

The indirect costs are less obvious. In addition to the financial impacts of fraud resulting from Account Takeover, businesses will experience damage to their brand identity and value. However, what most organisations will be less aware of is the impact of Account Takeover on their digital systems. With bot requests often being the most CPU intensive, prolonged automated attempts to log into accounts can drain system resources, reduce capacity and lead to performance degradation. Often, these bot requests can skew key tracking metrics and reduce performance for real customers.

What Can Be Done to Stop Account Takeover?

With data breaches on the rise, business need to recognise that just having the correct username and password is no guarantee a visitor is trustworthy.

1) Login History

Allowing your applications to store the history of a given user’s addresses, locations, devices, cookies and browsers can help identify compromised accounts. These data driven insights can also trigger challenges of login requests where the attempt does not match the user’s known data profile.

2) Limit Login Attempts

A common way to prevent credential cracking would be to limit the number of failed login attempts. However, in doing so we can often create UX issues, as even trustworthy customers may need more attempts if they have forgot a password. However, limiting login attempts will not help protect against credential stuffing where the hacker cycles through one email address with one password.

3) Multi-Factor Authentication

Once a history of logins has been built up, if the user deviates from their ‘known behaviour’ a request to authenticate using Multi-Factor Authentication (MFA) can be sent, if supported by your application. A popular way to do this would be requesting a one-time password with Google Authenticator. If your application is unable to support MFA, it is recommend you send the customer an email notifying them of the change in ‘known behaviour’ so they can flag if it seems suspicious.

4) Capcha

Due to hackers using automated bots to carry out Account Takeover attempts, a common risk reduction technique would be Capcha checks in your login processes. Although these will protect against some Bots, there a range of methods hackers use that can bypass Captcha, such as browser plugins, specialist bots and Capcha Farms. Capcha is certainly a great start to tackling Account Takeover challenges, but often this type of approach can lead to real-user frustration.

5) IP & User Agent Blacklisting

Many businesses will have the ability to blacklist IP Addresses and User Agents if malicious behaviour is identified. Some tools come with known blacklists built in. The issue with this is two-fold:

  • Hackers have become savvy to this tactic. TrafficDefender has identified several Account Takeover Bots rotating IP Ranges on a daily basis
  • IP Addresses are cycled and can very often be transferred to genuine users

6) Rate Limiting

Monitoring network traffic for spikes in requests from a single IP Address or IP Range can be used to identify simple Credential Cracking behaviour. However, sometimes these can take the form of a ‘low and slow attack’, with login attempts spanning several days or even weeks, making rate limiting difficult.

7) Web Application Firewalls

WAF’s are a common security solution for businesses. They are designed to protect applications from being exploited by common software vulnerabilities. The newest generation of malicious bots have been designed to bypass these systems by mimicking human behaviour, which enables them to evade even the most advanced WAF solutions.

8) Customer Education

Educating customers and encouraging good security is free and often easy way to implement protection against Account Takeover.  Encouraging your users to create strong and secure passwords, recommending or requiring them to use a minimum of 6 characters including a mix of uppercase, lowercase letters, numbers and symbols, can help protect their accounts and your organisation.

9) Dedicated Bot Identification

Between 5-50% of all a website traffic is made up of bots. Standard security solutions and practices are no longer robust enough to protect against malicious bots. With traditional approaches, businesses run the risk of accidentally blocking good bots and customers. Dedicated solutions, such as Bot Control, leverage the power of shared intelligence, specialist data scientists, customised rules and machine learning to stay one step ahead. Deploying these solutions will help your business identify and tackle the threat of Account Takeover and, protect you against many of the other issues caused by a much wider range of non-human traffic.


Account Takeover attempts are on the rise and pose a significant threat to any online business that has valuable user accounts. To protect your organisation and customers against these threats you should use a combination of application level changes, standard security solutions, customer education and a dedicated bot mitigation solution to protect your website.

If you are concerned about the risks Account Takeover poses to your organisation and customers, Intechnica can provide you with a free Traffic Audit that will enable you to understand what threats you are exposed to from bots and other non-human traffic.

Book A Traffic Audit